zitadel/.github/workflows/pack.yml

name: Package und Publish Archives and Images

on:
  workflow_call:
    inputs:
      node_version:
        required: true
        type: string
      image_name_github_api:
        required: true
        type: string
      image_name_github_login:
        required: true
        type: string
      image_name_google_api:
        required: true
        type: string
      image_name_google_login:
        required: true
        type: string
      semantic_version:
        required: false
        type: string
    secrets:
      GCR_JSON_KEY_BASE64:
        description: 'base64 endcrypted key to connect to Google'
        required: true

env:
  default_labels: |
    org.opencontainers.image.documentation=https://zitadel.com/docs
    org.opencontainers.image.vendor=ZITADEL

jobs:
  version:
    uses: ./.github/workflows/version.yml
    with:
      semantic_version: ${{ inputs.semantic_version }}
      dry_run: true

  pack:
    runs-on:
      group: zitadel-public
    environment: ${{ github.ref_protected == 'true' && 'Protected' || null }}
    needs: version
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          filter: tree:0
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Set up pnpm
        uses: pnpm/action-setup@v4
        with:
          run_install: false
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ inputs.node_version }}
          cache: "pnpm"
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          version: v0.28.0
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Pack API and Login
        env:
          ZITADEL_VERSION: ${{ needs.version.outputs.version }}
          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN || secrets.NX_CLOUD_ACCESS_TOKEN_READONLY }}
        run: pnpm nx run --nxBail pack
      - name: Suggest Pipeline Fix By Nx Cloud AI
        if: always()
        env:
          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN || secrets.NX_CLOUD_ACCESS_TOKEN_READONLY }}
        run: pnpm nx fix-ci
      - name: Upload all platform archives
        uses: actions/upload-artifact@v4
        with:
          name: zitadel-archives
          path: .artifacts/pack
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Google Artifact Registry
        uses: docker/login-action@v3
        with:
          registry: europe-docker.pkg.dev
          username: _json_key_base64
          password: ${{ secrets.GCR_JSON_KEY_BASE64 }}
      - name: Generate Standard Tags and Labels from the GitHub Context for the API Scratch Container Image
        id: scratch-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ inputs.image_name_github_api }}
            ${{ inputs.image_name_google_api }}
          labels: ${{ env.default_labels}}
          tags: |
            type=sha,prefix=,suffix=,format=long
      - name: Build and Push the SHA-tagged API Scratch Container Image
        id: build-scratch
        uses: docker/build-push-action@v6
        timeout-minutes: 3
        with:
          context: .
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: apps/api/Dockerfile
          target: final
          platforms: linux/amd64,linux/arm64
          push: true
          labels: ${{ steps.scratch-meta.outputs.labels }}
          tags: ${{ steps.scratch-meta.outputs.tags }}
      - name: Generate Standard Tags and Labels from the GitHub Context for the API Debug Container Image
        id: debug-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ inputs.image_name_github_api }}
            ${{ inputs.image_name_google_api }}
          labels: ${{ env.default_labels}}
          tags: |
            type=sha,prefix=,suffix=-debug,format=long
      - name: Build and Push the SHA-tagged API Debug Container Image
        id: build-debug
        uses: docker/build-push-action@v6
        timeout-minutes: 5
        with:
          context: .
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: apps/api/Dockerfile
          target: builder
          platforms: linux/amd64,linux/arm64
          push: true
          labels: ${{ steps.debug-meta.outputs.labels }}
          tags: ${{ steps.debug-meta.outputs.tags }}
          outputs: type=image,name=${{ inputs.image_name_github_api }},name-canonical=true
      - name: Generate Standard Tags and Labels from the GitHub Context for the Login Container Image
        id: login-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ inputs.image_name_github_login }}
            ${{ inputs.image_name_google_login }}
          labels: |
            org.opencontainers.image.licenses=MIT
            ${{ env.default_labels}}
          tags: |
            type=sha,prefix=,suffix=,format=long
      - name: Build and Push the SHA-tagged Login Container Image
        id: build-login
        uses: docker/build-push-action@v6
        timeout-minutes: 3
        with:
          context: apps/login
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64
          push: true
          labels: ${{ steps.login-meta.outputs.labels }}
          tags: ${{ steps.login-meta.outputs.tags }}